Producing automation and configuration management code with UpGuard

Nov 3, 2015 • Jonathan Frappier

While Upguard (formerly known as ScriptRock) is great at monitoring and reporting on configuration state, it is not a configuration management tool in the way that Ansible or CFEngine is. They do, however give you the capability of generating what they called “automation snippets” for many popular configuration management tools to either correct an item that has failed the policy check, or even create entire “automation snippets” to full configure a node.

For example, consider a web server that requires a specific version of Java, if the node fails the policy check because a newer version of Java was installed you could simply right click on the failed item and go to Create Automation Snippet and select the type of snippet - a playbook for Ansbile, a Manifest for Puppet, etc…

As always, starting with a few nodes added to Upguard and you will need to drill down into one of those nodes. Since my previous posts were demo’d with Windows, I’ll use Linux here just to mix it up a bit.

There are several areas you can right click to generate these snippets.

First, you can generate the automation snippet for all items right clicking the grey circle at the top

For example if I create an automation snippet here for Ansible, (Create Playbook Snippet) it will give me the code for every package, user, folder, etc… on the node

This is obviously noisy, but also very complete if you want to bring another node into the same configuration very easily. You could also create an automation snippet for a specific category such as EnvVars, files, or packages. Additionally you can also be as granular as a specific item, a likely scenario for a quick fix to a node that is not in compliance. Here you can see I searched for httpd, expanded Packages and selected the httpd package by itself.

This will produce, as you might expect, just a snippet to ensure httpd is installed

I think that is all I have for Upguard for now, as you can see this is a very handy tool for several use cases such as troubleshooting, ensuring device configuration, and even vulnerability scanning.

Upguard (formerly ScriptRock) recently announced a new, free, vulnerability scanner available within their solution. Years ago, Nessus was the defacto tool here but more recently has been commercialized. OpenVAS seems to be the new hotness for Open Source vulnerability scanning but is yet another product to introduce into the environment. In my previous two posts (compare / policies) I added two nodes to ScriptRock, I’ll use these again for testing the vulnerability scanner. If you have not already add a couple of hosts to ScriptRock before you proceed.